
<!DOCTYPE html>
<html>
<head>

<script>
    var companyDetails6Sense = localStorage.getItem('_6senseCompanyDetails');

    if(null != companyDetails6Sense || companyDetails6Sense != "" || companyDetails6Sense != undefined){
		var jsonVal = JSON.parse(companyDetails6Sense);

        var companyRevenueRange = jsonVal.company.revenue_range;
        var companyCountry = jsonVal.company.country;
        var companyIndustry = jsonVal.company.industry;
        var companyName = jsonVal.company.name;
        var companyRegion = jsonVal.company.region;
        var companyDomain = jsonVal.company.domain;
    	var segments = JSON.stringify(jsonVal.segments);
    	
        window.dataLayer=window.dataLayer ||[];
        window.dataLayer.push({
                "company_industry" : companyIndustry,
                "company_name" : companyName,
                "company_revenue" : companyRevenueRange,
                "company_country" : companyCountry,
                "company_region" : companyRegion,
            	"company_domain" : companyDomain,
            	"segments" : segments
        });
    }

</script>

<style>.async-hide { opacity: 0 !important} </style>
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date;
h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')};
(a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c;
})(window,document.documentElement,'async-hide','dataLayer',4000,
{"GTM-5ZX7QTZ":true});</script>

<title>ELFant in the Room – capa v3 | FireEye Inc</title>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="alternate" type="application/atom+xml" title="Atom Feed for &#39;ELFant in the Room – capa v3&#39;" href="/content/fireeye-www/en_US/blog/threat-research/2021/09/elfant-in-the-room-capa-v3/_jcr_content.feed">
<link rel="canonical" href="https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html">
<meta name="language" content="en">
<meta name="locale" content="en_US">
<meta http-equiv="cleartype" content="on">
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, minimum-scale=1.0, maximum-scale=1.0">
<meta name="description" content="With our newest code and ruleset updates, capa v3 identifies capabilities in Executable and Linkable Format (ELF) files.
">

<meta itemprop="name" content="ELFant in the Room – capa v3">
<meta itemprop="description" content="With our newest code and ruleset updates, capa v3 identifies capabilities in Executable and Linkable Format (ELF) files.
">
<meta itemprop="image" content="https://www.fireeye.com/content/dam/fireeye-www/fw/images/fireeye-2-color-square.png">

<meta name="twitter:site" content="@FireEye">
<meta name="twitter:title" content="ELFant in the Room – capa v3">
<meta name="twitter:description" content="With our newest code and ruleset updates, capa v3 identifies capabilities in Executable and Linkable Format (ELF) files.
">
<meta name="twitter:creator" content="@FireEye">
<meta name="twitter:image" content="https://www.fireeye.com/content/dam/fireeye-www/fw/images/fireeye-2-color-square.png">

<meta property="og:title" content="ELFant in the Room – capa v3">
<meta property="og:type" content="website">
<meta property="og:url" content="https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html">
<meta property="og:image" content="https://www.fireeye.com/content/dam/fireeye-www/fw/images/fireeye-2-color-square.png">
<meta property="og:description" content="With our newest code and ruleset updates, capa v3 identifies capabilities in Executable and Linkable Format (ELF) files.
">
<meta property="og:site_name" content="FireEye">
<meta property="fb:admins" content="45127269202">
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery.min.js"></script>

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
    new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
    j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
    'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
    })(window,document,'script','dataLayer','GTM-MVGC8KK');</script>


<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery/granite/csrf.min.js"></script>
<script type="text/javascript" src="/etc/designs/fireeye-www/clientlibs_nav.min.js"></script>
<script type="text/javascript">
var cookiesOK = $.cookie("ec-privacy");
var fdc =fdc || {};
var onAccept = function () {
	$.cookie("ec-privacy", "accept", { path: "/", expires: 365 });
	jQuery("#cookie-privacy-banner").hide();
};

var onDecline = function () {
	$.cookie("ec-privacy", "decline", { path: "/", expires: 365 });
	jQuery("#cookie-privacy-banner").hide();
};

var ipLocation = (function () {
	var banner ="#cookie-privacy-banner";

	/* Show the privacy notification banner. */
	var showBanner = function (banner) {
		jQuery(banner).show();
	};

	/* Suppress the privacy notification banner. */
	var hideBanner = function (banner) {
		jQuery(banner).hide();
	};

	/* These are the country codes for the countries subject to EC privacy laws.
	 * We will check to see if a visitor is coming from one of these countries.
	 * If they are, we display a privacy notification banner. If not, we
	 * do nothing. */
	var countries = {
		"AT": true,"BE": true,"BG": true,"HR": true,"CY": true,"CZ": true,"DK": true,
		"EE": true,"FI": true,"FR": true,"DE": true,"GR": true,"HU": true,"IE": true,
		"IT": true,"LV": true,"LT": true,"LU": true,"MT": true,"NL": true,"PL": true,
		"PT": true,"RO": true,"SK": true,"SI": true,"ES": true,"SE": true,"GB": true
	};
	var defaultSite = "US";

	var onSuccess = function (geoipResponse) {
		fdc.geoipresponse=geoipResponse;
		/* There's no guarantee that a successful response object
		 * has any particular property, so we need to code defensively. */
		if (!geoipResponse.country.iso_code) {
			hideBanner(banner);
			return;
		}
		//
		if (location.host.indexOf("stage") >= 0 && geoipResponse.country.iso_code === "SG") {
            geoipResponse.country.iso_code = "ES"
        }
		/* ISO country codes are in upper case. */
		var code = geoipResponse.country.iso_code;
			
		
		if ((countries[code]) && (cookiesOK == undefined)) {
			showBanner(banner);
		}
		else {
			hideBanner(banner);
		}
	};

	/* We don't really care what the error is. */
	var onError = function (error) {
		hideBanner(banner);
	};

	return function () {
		geoip2.country( onSuccess, onError );
	};
}());
ipLocation();
</script>
<div class="htmlpassthru_836d htmlpassthru">

<script type="text/javascript">
    if (!String.prototype.includes) {
        String.prototype.includes = function() {
            return String.prototype.indexOf.apply(this, arguments) !== -1;
        };
    }
var userAgent = navigator.userAgent,
gomezAgent = userAgent.includes("GomezAgent"),
prtgAgent = userAgent.includes("PRTG Network Monitor");

if (gomezAgent || prtgAgent) {
    cookiesOK = "decline";
}

if (cookiesOK != "decline") {
    // Google Analytics was here. Now it's in Tealium and GTM.
}
// Temporary patch for AA issue.
if(typeof _satellite == "undefined") {
    _satellite = {};
    _satellite.track = function(){};
}
</script>
<style>
@media ( max-width : 959px) {
    .g04 .megamenu .n03-sub_table .n03-sub_cell, .g04 .megamenu .separator {
        display: block;
    }
    .g04 .megamenu .n03_list-item-sub>.megamenu-cta {
        padding: 0;
    }
    .g04 .megamenu .n03-sub_cell.n03-sub_cell-utility {
        padding: 11px 0 11px 10px;
    }
}

@media ( min-width : 48em) {
    .cta-bar .n01 .n01_cell {
        width: auto;
    }
}

/* styles for the CTA bar test */
.n01.n01v1 .n01_cell {
    background-color: #222;
    border: 1px solid #444;
}

.n01.n01v1 .n01_cell .ficon, .n01.n01v1 .n01_cell .n01_label, .n01.n01v1 .n01_text
    {
    color: #fff;
}

@media ( min-width : 48em) {
    .n01.n01v1 .n01_cell {
        background-color: transparent;
        border: none;
    }
    .n01.n01v1 .n01_link {
        background-color: #222;
        border: 1px solid #444;
        border-right: 0;
    }
}
/* fix for new footer */
.g03v1 .g03-s-i:after {
    left: -3px;
}
/* fix for tables */
span.nowrap {
    white-space: nowrap;
}
/* fix for blog cta */
.blog-cta {
    border: 1px solid #dadadb;
    background-color: #ebebed;
    margin-bottom: 10px;
    line-height: 0;
}
</style>
<link rel="stylesheet" type="text/css" href="https://cloud.typography.com/6746836/6977592/css/fonts.css" />
<link rel="stylesheet" type="text/css" href="/content/dam/fireeye-www/fw/css/patch.css?v=1" />
<script type="text/javascript">
var addthis_config = addthis_config||{};
    addthis_config.data_track_clickback = false;
var addthis_share = {
   url: window.location.href
};
</script>
<style>
/* fix for IE */
.uc-he01v1 .uc-he01_container .background {
    max-height: 470px;
    position: absolute;
}
.uc-he01v2 .uc-he01_container .background {
    position: absolute;
}
@media (max-width: 48em) {
    .uc-he01v1 .uc-he01_container .background {
        max-height: 320px;
    }
}
@media (min-width: 54em) {
    .uc-he01v1 .uc-he01_container .background {
        max-height: 600px;
    }
}
</style>
<style>
/* Update the images used in the Table component. */
.c09v1 .tablesorter-default .header, .c09v1 .tablesorter-default .tablesorter-header {
background-position-x: calc(100% - 4px);
background-image: url()
}
.c09v1 .tablesorter-default thead .headerSortUp,.c09v1 .tablesorter-default thead .tablesorter-headerSortUp,.c09v1 .tablesorter-default thead .tablesorter-headerAsc{background-image: url()}
.c09v1 .tablesorter-default thead .headerSortDown,.c09v1 .tablesorter-default thead .tablesorter-headerSortDown,.c09v1 .tablesorter-default thead .tablesorter-headerDesc{background-image: url()}
.c09v1 .tablesorter-default thead .sorter-false {
    background-image: none;
}
@media (max-width: 41.9125em){
    .c09.c09v1.has-data-label tr>:not(:first-child):before {
        width: auto; min-width: 35%;
    }
}
</style>
<script>
$(document).ready(function(){
    if(typeof(ipLocation) !== "undefined" && typeof fdc.geoipResponse === "undefined"){ipLocation();}
    if(typeof fdc.geoipResponse !== "undefined"){showCountryNotification(fdc.geoipResponse);}
    if(typeof fdc.geoipResponse !== "undefined" && typeof fdc.geoipResponse.country !== "undefined" && fdc.geoipResponse.country.is_in_european_union && ($.cookie("ec-privacy") == undefined)){jQuery("#cookie-privacy-banner").show();}
});
function showCountryNotification(geoipResponse) {
	if (!geoipResponse.country || !geoipResponse.country.iso_code) {
        return;
    }
	var code = geoipResponse.country.iso_code,
	    langIndex = code === "FR" ? 2 : code === "DE" ? 3 : code === "JP" ? 4 : code === "KR" ? 5 : 1;
	if (langIndex > 1) {
		$('.c08_modal.lang').addClass("is-open");
		$('.c08_modal.lang .col:nth-child(' + (langIndex - 1) + ')').show();
		$('.c08_modal.lang, .c08_modal.lang [data-behavior="dismiss-c08"]').click(function(){
		    $.cookie("country-notification", "decline", { path: "/", expires: 365 });
		    closec08();
		});
		$('.c08_modal.lang .c08').click(function(e){
		    e.stopPropagation();
		});
		if (($.cookie("country-notification") === "decline") || $(".g01_options_list li:nth-child(" + langIndex + ") a").attr("href").indexOf(".html") < 0) {
		    closec08();
		} else {
		    $(".c08_modal.lang .btn").eq(langIndex - 2).attr("href", $(".g01_options_list li:nth-child(" + langIndex + ") a").attr("href"));
		}
	}
}
</script>
<script>    
     var _6SenseJsonObj = localStorage.getItem('_6senseCompanyDetails'),
         _6SenseTime = localStorage.getItem('_6senseCompanyDetails-timestamp'),
         isJsonStale = _6SenseTime === null ? true : Date.now() - parseInt(_6SenseTime) > 86400000; // 86400000 = 1 day in ms
     
     window._6si = window._6si || [];
     window._6si.push(['enableEventTracking', true]);
     window._6si.push(['setToken', '1322340356018696d853e0ac6f7ce3a2']);
     window._6si.push(['setEndpoint', 'b.6sc.co']);
     if(_6SenseJsonObj === null || isJsonStale){
       window._6si.push(['enableCompanyDetails', true]);
       window._6si.push(['setEpsilonKey', '325d6d60e24c7cfc3a782839d85ce08c8d3bb27c']);
       localStorage.setItem('_6senseCompanyDetails-timestamp', Date.now());
     }  
    (function () {
          var gd = document.createElement('script');
      gd.type = 'text/javascript';
      gd.async = true;
      gd.src = '//j.6sc.co/6si.min.js';
      var s = document.getElementsByTagName('script')[0];
      s.parentNode.insertBefore(gd, s);
     })();
</script>
<script>
    var jsonObj;

    function targetPageParams() { 
        jsonObj = localStorage.getItem('_6senseCompanyDetails');
        if(jsonObj) {
        	var jsonVal = JSON.parse(jsonObj);
            return { 
                "companyRevenueRange": jsonVal.company.revenue_range, 
                "companyCountry": jsonVal.company.country, 
                "companyIndustry": jsonVal.company.industry,
                "companyName": jsonVal.company.name,
                "companyRegion": jsonVal.company.region,
                "companyDomain": jsonVal.company.domain,
                "segments": JSON.stringify(jsonVal.segments)
            }; 
        }
     }; 
</script>
<script>
$(document).ready(function(){
    $(".loadmore").on("click", function(){$(".list.parbase").addClass("no-max-height");});
    // Don't show title text for textures.
    $(".texture img").attr("title", "");
});
</script>
<style>
.no-max-height .c11v9 h4{
    max-height: none !important;
}
.g04 #header-search .search-field_submit:after {
    font-size: 9px;
}
.c11v8.hideLinkText .btn {
    display: inline-block;
}
/* CTA fix */
.g04 .megamenu-tab .has-inner-cta .n03-sub_container {
    padding: 0;
    margin: 0 0 0 10px;
    max-width: 1210px;
}
.g04 .megamenu-tab .has-inner-cta .col-wrap {
    padding: 40px 0;
}
.g04 .n03-sub_container[data-columns="1"] .megamenu-cta {
    width: 50%;
}
.g04 .n03-sub_container[data-columns="2"] .megamenu-cta {
    width: 33.9%;
}
.g04 .has-inner-cta > [data-columns="2"] .n03-sub_cell {
    width: calc(50% - 60px);
}
.g04 .n03-sub_container[data-columns="3"] .megamenu-cta {
    width: 25%;
}
.g04 .n03-sub_container[data-columns="4"] .megamenu-cta {
    width: 20%;
}
.g04 .megamenu-cta h5 {
    line-height: 1.4;
}
html .g04 header .megamenu-cta h5 {
    font-weight: 500;
    font-size: 15px;
    color: #44474d;
}
html .g04 header .megamenu-cta p {
    text-transform: none;
}
.g04 .n03-sub_table > .megamenu-cta {
    background: none;
    padding: 0;
}
.g04 .megamenu-cta .n03_utility {
    border: none;
    height: 100%;
}
.g04 .megamenu-cta .n03_utility_cell {
    display: block;
    width: auto;
    margin-left: 30px;
}
/* Un/re-comment to add/remove in the line to the left of the CTA in the megamenu. */
/*.g04 .n03-sub_table .col-wrap:not(:last-child) .separator.disabled {
    border-right-color: #ebebed;
}*/

/* Put a grid over the texture from a neighboring grid. */
.force {
    z-index: 15;
    position: relative;
}
/* Remove the gradient above the tiles on blog pages and reduce the space there. */
.iparsys + .l_container>div.gradient-top {
    background-image: none;
}
.iparsys + .l_container>.gradient-top>div>.g {
    padding: 0;
}
@media (min-width: 35em) {
    .entries .highlightFirst .c11v9 .c11-image-div {
        border-left: 1px solid #dadadb;
        border-right: 1px solid #dadadb;
    }
}
@media (max-width: 1024px) {
    .uc-he01v2 .panel .asset .image img {
        max-height: 200px;
	max-width: 300px;
    }
}
/* mobile view for MegaMenu CTA. */
@media (max-width: 1024px) {
    .g04 .megamenu-tab.open .n03_list-item-sub.has-inner-cta {
        padding-bottom: 0;
    }
    .g04 .has-inner-cta > [data-columns="2"] .n03-sub_cell,
    .g04 .n03-sub_container[data-columns="2"] .megamenu-cta {
        width: 100%;
        display: block;
    }
    .g04 .megamenu-tab .has-inner-cta .n03-sub_container {
        margin: 0;
    }
    .g04 .megamenu-tab .has-inner-cta .n03-sub_container .col-wrap {
        padding: 0;
    }
    .g04 .megamenu-cta .n03_utility_cell {
        margin-left: 15px;
        margin-right: 22px;
    }
    .g04 .megamenu-cta .n03_utility_cell:nth-child(1) {
        padding-bottom: 0;
    }
    .g04 .megamenu-cta .n03_utility_cell:nth-child(2) {
        padding-top: 0;
    }
    .g04 .megamenu-cta .n03_utility_cell h5,
    .g04 .megamenu-cta .n03_utility_cell p {
        font-size: 12px;
    }
    .content-2-par .megamenus .n03-sub_table .megamenu-cta {
        border-radius: 0;
    }
}
/* Training pages side design. */
  .training-side-box {background: url('/content/dam/fireeye-www/brand/homepage-banner-images/hpb-bg-testimonial-red.jpg') left no-repeat; background-size: cover; padding:30px; border: 1px solid #dadadb; margin-bottom: 20px;}
  .training-side-text {color: #ffffff;}
  .training-side-text a:hover {color: #ffffff; text-decoration: underline;}

/* Avoid column breaks in ordered lists. */
  .c00 ol > li {page-break-inside: avoid; margin-bottom: 15px;}

/* Safari needs this on html to stop side scrolling, not just on the body. */
html {overflow-x:hidden;}
/* Make sure the footer is above a texture that precedes it. */
#g03-footer {z-index: 725;}
/* Allow border for linked images. */
.border>a>img {border: 1px solid #dadadb;}
/* Allows for easy scrollable text boxes on blog pages right in the Blog Text component. */
table.limitedHeight td {
    height: 350px;
    display: block;
    overflow-y: scroll;
    overflow-x: hidden;
    padding-bottom: 0;
}
/* Fix for edge case in Safari where page title in breadcrumbs wraps when the title is just the right length. */
.g02_list_item:last-child span {
    min-width: 360px;
    display: block;
}
/* fix issue of hidden Event Spotlights having margin when used with .row-count-2 */
.parsys > .spotlight-event.section:empty {
    display: none;
}
@media (min-width: 60em) {
.row-count-2 .parsys>div:nth-child(even):not(:empty) {
    margin-right: 40px;
}
}
/* Don't also vertically center a nested column. */
.l_container.vertically-center .g > div:not(.stacked) > .g-content .g > div > .g-content {
    top: auto;
    transform: none;
    position: unset;
}

/* Footer SVG resize. */
@media (max-width: 25em) {
  .g03 .g03_copyright {background-size: 36px;}
}

/* HPB padding and resize. */
@media (max-width: 81em) {
  .hero-container-v3 {padding: 0 60px !important;}
}
@media (max-width: 64em) {
  .hero-container-v3 {padding: 0 20px !important;}
}
@media (max-width: 42em) {
  .hero-container-v3 {padding: 0 10px !important;}
  .uc-he01v2 .uc-he01_title {font-size: 1.75rem !important;}
  .uc-he01v2 .uc-he01_description {font-size: 1.0rem !important;}
}

/* Some 2021 Redesign changes. */
html .a02 .search .search-field_text {
    border: 1px solid #dadadb;
    border-radius: 5px 0 0 5px;
}
html .a02 .search .search-field_submit {
    background-color: #bf2129;
    border: 1px solid #dadadb;
    border-radius: 0 5px 5px 0;
    height: 29px;
}
html .a02 .search .search-field_submit:after {
    top: 8px;
    left: 6px;
}
html.backdropfilter .g04.masthead {
    -webkit-backdrop-filter: saturate(150%) blur(15px);
}
.blog p, .blog li, .blog .entrytext p, .blog .entrytext li {
    font-size: 0.9375rem;
}

</style></div>

<link rel="stylesheet" href="/etc/designs/fireeye-www/clientlibs_fw-2021.min.css" type="text/css">
<link rel="stylesheet" href="/etc/clientlibs/fireeye-blog/clientlibs_base.min.css" type="text/css">
<link rel="icon" type="image/vnd.microsoft.icon" href="/content/dam/fireeye-www/brand/logos/fireeye.ico">
<link rel="shortcut icon" type="image/vnd.microsoft.icon" href="/content/dam/fireeye-www/brand/logos/fireeye.ico">
</head>

<body itemscope itemtype="http://schema.org/WebPage" data-redesign="redesign-2021"><script type="text/javascript">window.Granite = window.Granite || {}; window.Granite.csrf = true;</script>


<div class="clientcontext parbase"><script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/utils.min.js"></script>
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/jquery.min.js"></script>
<script type="text/javascript" src="/etc.clientlibs/foundation/clientlibs/shared.min.js"></script>
<script type="text/javascript" src="/etc.clientlibs/clientlibs/granite/lodash/modern.min.js"></script>
<script type="text/javascript" src="/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js"></script>
<script type="text/javascript">
    $CQ(function() {
        CQ_Analytics.SegmentMgr.loadSegments("\/etc\/segmentation");
        CQ_Analytics.ClientContextUtils.init("\/etc\/clientcontext\/default", "\/content\/fireeye\u002Dwww\/en_US\/blog\/threat\u002Dresearch\/2021\/09\/elfant\u002Din\u002Dthe\u002Droom\u002Dcapa\u002Dv3");

        
    });
</script>
</div>


<div class="masthead_v2 masthead-v2">
<div class="g04 masthead g04v1">
<header role="banner" itemscope itemtype="http://schema.org/WPHeader">
<div class="language-and-search"> <div class="search">
<div class="content-searchbox searchbox">
<a class="g01_options-option option-search" href="#header-search" data-for="q" data-behavior="showHeaderMenu focusField">Search</a>
<div class="option-menu option-menu_search" id="header-search">
<form method="get" action="/search.html">
<fieldset class="search-field" title="Search FireEye.com">
<label class="search-field_label" for="q">Search FireEye.com</label>
<input class="input-text search-field_text" type="text" name="q" id="q" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" data-locale="en_US" placeholder="Search FireEye.com">
<div id="searchboxsuggestions"></div>
<button class="btn btn-secondary search-field_submit" type="submit">Go</button>
</fieldset>
</form>
</div>
</div>
</div>
</div>
<div class="logo-and-megamenu">
<div class="logo" itemscope itemtype="https://schema.org/Brand">
<a href="https://www.fireeye.com"><img src="/content/dam/fireeye-www/fw/images/fe-logo-white.svg" alt="FireEye" itemprop="logo" class="fireeye" /></a>
</div>
<nav class="megamenu">
<ul><li class="megamenu-tab" data-curry="/blog.html" data-link="/products.html">
<h4 class="megamenu-title">
<a href="/products.html" itemprop="url" class="MegaMenus">Products</a>
</h4>
<div class="content-0-par parsys"><div class="megamenus section">

<div class="n03_list-item-sub has-inner-cta ">
<div class="n03-sub_container" data-columns="2">
<div class="n03-sub_table">
<div class="col-wrap">
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Enterprise Security</h4><ul><li itemprop="url"><a href="/products/helix.html" itemprop="name" class="MegaMenus">Helix Security Platform</a></li>
<li itemprop="url"><a href="/products/network-security.html" itemprop="name" class="MegaMenus">Network Security and Forensics</a></li>
<li itemprop="url"><a href="/products/endpoint-security.html" itemprop="name" class="MegaMenus">Endpoint Security</a></li>
<li itemprop="url"><a href="/products/email-security.html" itemprop="name" class="MegaMenus">Email Security</a></li>
<li itemprop="url"><a href="/products/cloudvisory.html" itemprop="name" class="MegaMenus">Cloudvisory</a></li>
<li itemprop="url"><a href="/products/detection-on-demand.html" itemprop="name" class="MegaMenus">Detection On Demand</a></li>
</ul></div>
</div>
</div><div class="separator"></div>
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Security For:</h4><ul><li itemprop="url"><a href="/products/cloud-security.html" itemprop="name" class="MegaMenus">Cloud</a></li>
<li itemprop="url"><a href="/products/financial-services.html" itemprop="name" class="MegaMenus">Financial Services</a></li>
<li itemprop="url"><a href="/products/government.html" itemprop="name" class="MegaMenus">Government</a></li>
<li itemprop="url"><a href="/products/healthcare.html" itemprop="name" class="MegaMenus">Healthcare</a></li>
<li itemprop="url"><a href="/products/education.html" itemprop="name" class="MegaMenus">Higher Education</a></li>
<li itemprop="url"><a href="/products/industrial-systems-and-critical-infrastructure-security.html" itemprop="name" class="MegaMenus">Industrial &amp; Critical Infrastructure</a></li>
</ul></div>
<div class="htmlpassthru section">
<style>
  .content-0-par .n03_utility {background-color: transparent;}
  .n03_utility_cell {padding: 0 13px 0 0;}
</style></div>
</div>
</div><div class="separator disabled"></div></div><div class="megamenu-cta">

<div class="n03_utility">
<div class="n03_utility_container">
<div class="n03_utility_table">
<div class="n03_utility_cell">
<h5>FireEye XDR</h5>
<p>Simplify threat detection and response with FireEye&nbsp;XDR.</p>
</div>
<div class="n03_utility_cell"><div class="button"><a class="btn btn-B2282D compact" href="/products/xdr.html">Explore FireEye XDR</a></div>
</div>
</div>
</div>
</div></div>
</div>
</div>
<div class="view-all-bar">
<a href="/products.html" class="MegaMenus">
VIEW ALL PRODUCTS</a>
</div></div>
</div>
</div>
</li><li class="megamenu-tab" data-curry="/blog.html" data-link="/customers.html">
<h4 class="megamenu-title">
<a href="/company/customers.html" itemprop="url" class="MegaMenus">Customers</a>
</h4>
<div class="content-1-par parsys"><div class="megamenus section">

<div class="n03_list-item-sub has-inner-cta ">
<div class="n03-sub_container" data-columns="2">
<div class="n03-sub_table">
<div class="col-wrap">
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Customers</h4><ul><li itemprop="url"><a href="/customers.html" itemprop="name" class="MegaMenus">Customer Stories</a></li>
<li itemprop="url"><a href="/company/customers.html" itemprop="name" class="MegaMenus">Customer Success</a></li>
<li itemprop="url"><a href="https://csportal.fireeye.com/" target="_blank" itemprop="name" class="MegaMenus">Customer Portal</a></li>
</ul></div>
<div class="megamenu-list section">
<h4 class="n03-sub_title">Get Support</h4><ul><li itemprop="url"><a href="/support/contacts.html" itemprop="name" class="MegaMenus">Contact Support</a></li>
</ul></div>
</div>
</div><div class="separator"></div>
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Find Answers</h4><ul><li itemprop="url"><a href="/support/programs.html" itemprop="name" class="MegaMenus">Support Programs</a></li>
<li itemprop="url"><a href="/support/notices.html" itemprop="name" class="MegaMenus">Support Notices</a></li>
<li itemprop="url"><a href="/support/products.html" itemprop="name" class="MegaMenus">Supported Products</a></li>
<li itemprop="url"><a href="https://community.fireeye.com/" target="_blank" itemprop="name" class="MegaMenus">Communities</a></li>
<li itemprop="url"><a href="https://docs.fireeye.com" target="_blank" itemprop="name" class="MegaMenus">Documentation Portal</a></li>
</ul></div>
</div>
</div><div class="separator disabled"></div></div><div class="megamenu-cta">

<div class="n03_utility">
<div class="n03_utility_container">
<div class="n03_utility_table">
<div class="n03_utility_cell">
<h5>Support</h5>
<p>A global network of support experts available 24x7. We offer simple and flexible support programs to maximize the value of your FireEye products and services.</p>
</div>
<div class="n03_utility_cell"><div class="button"><a class="btn btn-44474D expand" href="/support.html">Get support</a></div>
</div>
</div>
</div>
</div></div>
</div>
</div>
</div>
</div>
</div>
</li><li class="megamenu-tab" data-curry="/blog.html" data-link="/partners.html">
<h4 class="megamenu-title">
<a href="/partners.html" itemprop="url" class="MegaMenus">Partners</a>
</h4>
<div class="content-2-par parsys"><div class="megamenus section">

<div class="n03_list-item-sub has-inner-cta ">
<div class="n03-sub_container" data-columns="2">
<div class="n03-sub_table">
<div class="col-wrap">
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">FireEye Partners</h4><ul><li itemprop="url"><a href="/partners.html" itemprop="name" class="MegaMenus">Partners Overview</a></li>
<li itemprop="url"><a href="/partners/resellers.html" itemprop="name" class="MegaMenus">FireEye Affinity Resellers</a></li>
<li itemprop="url"><a href="/partners/strategic-technology-partners.html" itemprop="name" class="MegaMenus">Technology Partners</a></li>
<li itemprop="url"><a href="/partners/global-solution-providers.html" itemprop="name" class="MegaMenus">Global Solution Providers</a></li>
</ul></div>
</div>
</div><div class="separator"></div>
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Partner Resources</h4><ul><li itemprop="url"><a href="https://partners.fireeye.com/directory/" target="_blank" itemprop="name" class="MegaMenus">Partner Locator</a></li>
<li itemprop="url"><a href="http://training.fireeye.com/" target="_blank" itemprop="name" class="MegaMenus">Partner Education Center</a></li>
<li itemprop="url"><a href="/support.html" itemprop="name" class="MegaMenus">Support</a></li>
</ul></div>
<div class="megamenu-list section">
<h4 class="n03-sub_title">Partnering with FireEye</h4><ul><li itemprop="url"><a href="https://www2.fireeye.com/Partner-Request-LP-New.html" target="_blank" itemprop="name" class="MegaMenus">Become a Partner</a></li>
</ul></div>
</div>
</div><div class="separator disabled"></div></div><div class="megamenu-cta">

<div class="n03_utility">
<div class="n03_utility_container">
<div class="n03_utility_table">
<div class="n03_utility_cell">
<h5>Partner Portal</h5>
<p>Access for our registered Partners to help you be successful with FireEye.
Collateral, deal registration, request for funds, training, enablement, and more.</p>
</div>
<div class="n03_utility_cell"><div class="button"><a class="btn btn-44474D compact" href="https://partners.fireeye.com/" target="_blank">Access the portal</a></div>
</div>
</div>
</div>
</div></div>
</div>
</div>
</div>
</div>
</div>
</li><li class="megamenu-tab" data-curry="/blog.html" data-link="/current-threats.html">
<h4 class="megamenu-title">
<a href="/current-threats.html" itemprop="url" class="MegaMenus">Resources</a>
</h4>
<div class="content-3-par parsys"><div class="megamenus section">

<div class="n03_list-item-sub ">
<div class="n03-sub_container" data-columns="3">
<div class="n03-sub_table">
<div class="col-wrap">
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Cyber Security</h4><ul><li itemprop="url"><a href="/current-threats/what-is-cyber-security.html" itemprop="name" class="MegaMenus">What is Cyber Security?</a></li>
<li itemprop="url"><a href="/current-threats/detect-and-prevent.html" itemprop="name" class="MegaMenus">Advanced Detection and Prevention</a></li>
<li itemprop="url"><a href="/current-threats/how-cyber-attackers-get-in.html" itemprop="name" class="MegaMenus">How Cyber Attacks Compromise Your Network</a></li>
<li itemprop="url"><a href="/current-threats/what-is-cyber-security/ransomware.html" itemprop="name" class="MegaMenus">What is Ransomware?</a></li>
<li itemprop="url"><a href="/current-threats/what-is-a-zero-day-exploit.html" itemprop="name" class="MegaMenus">What is a Zero-Day Exploit?</a></li>
</ul></div>
</div>
</div><div class="separator"></div>
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">FireEye Blogs</h4><ul><li itemprop="url"><a href="/blog.html" itemprop="name" class="MegaMenus">Read the FireEye Blogs</a></li>
</ul></div>
<div class="megamenu-list section">
<h4 class="n03-sub_title">Training</h4><ul><li itemprop="url"><a href="/services/training.html" itemprop="name" class="MegaMenus">Education and Training</a></li>
</ul></div>
</div>
</div><div class="separator"></div>
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">Free Tools & Newsletters</h4><ul><li itemprop="url"><a href="https://fireeye.market" target="_blank" itemprop="name" class="MegaMenus">FireEye Market</a></li>
<li itemprop="url"><a href="https://vision.fireeye.com" target="_blank" itemprop="name" class="MegaMenus">The Vision – Digital Magazine</a></li>
</ul></div>
</div>
</div><div class="separator disabled"></div></div></div>
</div>
<div class="view-all-bar">
<a href="/current-threats.html" class="MegaMenus">
VIEW ALL RESOURCES</a>
</div></div>
</div>
</div>
</li><li class="megamenu-tab" data-curry="/blog.html" data-link="/company.html">
<h4 class="megamenu-title">
<a href="/company.html" itemprop="url" class="MegaMenus">About</a>
</h4>
<div class="content-4-par parsys"><div class="megamenus section">

<div class="n03_list-item-sub has-inner-cta " id="mandiant-mega-menu">
<div class="n03-sub_container" data-columns="2">
<div class="n03-sub_table">
<div class="col-wrap">
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">About Us</h4><ul><li itemprop="url"><a href="/company.html" itemprop="name" class="MegaMenus">Why FireEye?</a></li>
<li itemprop="url"><a href="/company/awards.html" itemprop="name" class="MegaMenus">Awards and Honors</a></li>
</ul></div>
<div class="megamenu-list section">
<h4 class="n03-sub_title">Careers</h4><ul><li itemprop="url"><a href="/company/jobs.html" itemprop="name" class="MegaMenus">Career Opportunities</a></li>
<li itemprop="url"><a href="/company/jobs/internships.html" itemprop="name" class="MegaMenus">Internships</a></li>
</ul></div>
<div class="htmlpassthru section">
<style>
.g04 .megamenu-list a{padding-right:38px;line-height:1.358;padding-bottom:2px}@media (min-width:60em){.g04 .n03-sub_container{padding-bottom:23px}}@media(min-width:64em) and (max-width:64.5em){.g04 .megamenu-tab:first-child .megamenu-title{padding-left:14px}}@media (min-width:68em) and (max-width:69em){.g04 .megamenu-tab:first-child .megamenu-title{padding-left:30px}}
.g04 .megamenu-tab {text-transform: none !important;}

</style></div>
</div>
</div><div class="separator"></div>
<div class="n03-sub_cell">
<div class="parsys"><div class="megamenu-list section">
<h4 class="n03-sub_title">News and Events</h4><ul><li itemprop="url"><a href="/company/newsroom.html" itemprop="name" class="MegaMenus">Newsroom</a></li>
<li itemprop="url"><a href="/company/press-releases.html" itemprop="name" class="MegaMenus">Press Releases</a></li>
<li itemprop="url"><a href="/company/webinars.html" itemprop="name" class="MegaMenus">Webinars</a></li>
<li itemprop="url"><a href="/company/events.html" itemprop="name" class="MegaMenus">Events</a></li>
</ul></div>
<div class="megamenu-list section">
<h4 class="n03-sub_title">Contact</h4><ul><li itemprop="url"><a href="/company/contact-us.html" itemprop="name" class="MegaMenus">Contact FireEye</a></li>
</ul></div>
</div>
</div><div class="separator disabled"></div></div><div class="megamenu-cta">

<div class="n03_utility">
<div class="n03_utility_container">
<div class="n03_utility_table">
<div class="n03_utility_cell">
<h5>The Vision</h5>
<p>Read our digital magazine providing expert-authored stories, information, unique insights, and advice on cyber security.</p>
</div>
<div class="n03_utility_cell"><div class="button"><a class="btn btn-B2282D compact" href="https://vision.fireeye.com/" target="_blank">Get your copy</a></div>
</div>
</div>
</div>
</div></div>
</div>
</div>
</div>
</div>
</div>
</li></ul>
</nav>
</div>
<span class="burger ficon ficon-menu"></span>
</header>
</div>
</div>


<div id="cookie-privacy-banner" style="display:none;">
<div class="l_container">
<div class="g">
<div class="g-u-1">
<div class="g-content">
<div class="cookie-banner">
<p class="cookie-text">
To give you the best possible experience, this site uses cookies.&nbsp; Find out more on <a href='/company/privacy.html' target='_blank'>how we use cookies</a>.<button type="button" class="cookie-button highlighted" onclick='javascript:onAccept();'>Accept</button>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="breadcrumbs breadcrumb">
<div class="l_container is-full">
<div class="g02 g02v0" id="g02-breadcrumbs">
<div class="g02_container">
<div class="g02_content">
<ul class="list-inline g02_list" itemscope itemtype="http://schema.org/BreadcrumbList">
<li class="g02_list_item" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a itemprop="item" class="BreadCrumb" href="/"><span itemprop="name">Home</span></a><meta itemprop="position" content="1" /></li>
<li class="g02_list_item" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a itemprop="item" class="BreadCrumb" href="/blog.html"><span itemprop="name">FireEye Blogs</span></a><meta itemprop="position" content="2" /></li>
<li class="g02_list_item" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><a itemprop="item" class="BreadCrumb" href="/blog/threat-research.html"><span itemprop="name">Threat Research</span></a><meta itemprop="position" content="3" /></li>
<li class="g02_list_item" itemprop="itemListElement" itemscope itemtype="http://schema.org/ListItem"><span itemprop="name">ELFant in the Room – capa v3<meta itemprop="position" content="6" /></span>
</ul>
</div>
</div>
</div>
</div>
</div>
<main class="l_main" role="main">
<div class="l_container">
<div class="g g-alt ">
<div class="g-u-17-24 l_g-u-1">
<div class="g-content">
<div class="blog main"><div itemscope itemtype="http://schema.org/BlogPosting">
<div class="summary entrytextteaser">
</div>
<div class="title entrytitle">
<h2 class="category-name">Threat Research Blog</h2>
<h1 class="blogpostlanding red" itemprop="headline">ELFant in the Room – capa v3</h1>
<div class="c00 c00v0 entry-meta-block selfClear">
<time class="entry-date" itemprop="datePublished" content="2021-09-15T13:00:00Z">September 15, 2021</time>
<span class="sep"> | </span>
<span class="by-author" itemscope itemptype="http://schema.org/Person">by <a href="/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-willi-ballenthin" title="View all entries filed under 'Fireeye - Authors : Willi Ballenthin'">Willi Ballenthin</a>, <a href="/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/moritz-raabe" title="View all entries filed under 'Fireeye - Authors : Moritz Raabe'">Moritz Raabe</a>, <a href="/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/mike-hunhoff" title="View all entries filed under 'Fireeye - Authors : Mike Hunhoff'">Mike Hunhoff</a>, <a href="/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/ana-maria-martinez-gomez" title="View all entries filed under 'Fireeye - Authors : Ana Maria Martinez Gomez'">Ana Maria Martinez Gomez</a><meta itemprop="author" content="Willi Ballenthin" /><meta itemprop="contributor" content="Moritz Raabe" /><meta itemprop="contributor" content="Mike Hunhoff" /><meta itemprop="contributor" content="Ana Maria Martinez Gomez" /></span>
<div class="tags-section">
<a class="tagList" href="/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/reverse-engineering"> <span class="tagbutton">Reverse Engineering</span></a><br class="on-mobile" />
<a class="tagList" href="/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/malware"> <span class="tagbutton">Malware</span></a><br class="on-mobile" />
<a class="tagList" href="/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/FLARE"> <span class="tagbutton">FLARE</span></a><br class="on-mobile" />
</div>
</div>
</div>
<div class="par parsys"><div class="entrytext section"><div class="c00 c00v0" itemprop="articleBody">
<p>Since our initial&nbsp;<a href="/blog/threat-research/2020/07/capa-automatically-identify-malware-capabilities.html" adhocenable="false">public release of capa</a>, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format (ELF) files, such as those used on Linux and other Unix-like operating systems. This blog post describes the extended analysis and other improvements. You can download capa v3 standalone binaries from the project’s <a href="https://github.com/fireeye/capa/releases">release page</a> and checkout the source code on <a href="https://github.com/fireeye/capa">GitHub</a>.</p>
<h4>ELF File Format Support</h4>
<p>capa finds capabilities in programs by parsing executable file formats, disassembling code, and then recognizing features in functions. In versions v1 and v2, capa only understood the PE file format, so its analysis was restricted to Windows programs. Thanks to our colleagues at <a href="https://www.intezer.com">Intezer</a>, capa now recognizes ELF files! This means you can use the tool to identify behaviors in malware that targets Linux computers. Figure 1 shows a rule that describes techniques to fetch the current user on Linux.</p>
<p><img src="/content/dam/fireeye-www/blog/images/capa-v3-elf/fig1.png" alt=""><br>
<span class="type-XS">Figure 1: capa rule identifying capabilities on Linux</span></p>
<p>We’re excited Intezer leverages capa and thrilled they are sharing their improvements with the community. In addition to the code updates, Intezer proposed 36 capa rules to identify various capabilities in ELF files, such as reconnaissance, persistence, and host interaction techniques. Please read <a href="https://www.intezer.com/blog/malware-analysis/analyzing-capabilities-in-PE-and-ELF-files">Intezer’s blog post</a> for more details.</p>
<h4>New Features capa Can Recognize</h4>
<p>As we taught capa to recognize ELF files, we also wanted rule authors to tune their rules to find behaviors specific to different operating systems (OS), CPU architectures, and file formats. For example, the APIs exposed by Windows are very different from those found on Linux systems; therefore, rules should clearly designate which pattern to use on Windows versus Linux.</p>
<p>Based on discussions and feedback collected from users and contributors, we've extended capa’s rule format to describe OSes, CPU architectures, and file formats. The rule shown in Figure 2 uses <span class="code">os</span> features to distinguish techniques used to get networking interface information on Windows and Linux. Note that the rule is explicit about which APIs are found on each OS, making it easy for both humans and machines to interpret the matching logic.</p>
<p><img src="/content/dam/fireeye-www/blog/images/capa-v3-elf/fig2.png" alt=""><br>
<span class="type-XS">Figure 2: capa rule using the os feature to distinguish OS specific features</span></p>
<p>We’ve also added <span class="code">arch</span> (such as <span class="code">arch: i386</span> for 32-bit Intel code) and <span class="code">format</span> (such as <span class="code">format: elf</span> for ELF files) features to distinguish between CPU architectures and file formats. To learn more about these and capa’s rule syntax see the <a href="https://github.com/fireeye/capa-rules/blob/master/doc/format.md">rule format documentation</a> on GitHub.</p>
<p>Unfortunately, rules with these new features are not backwards compatible with older versions of capa. Therefore, you should prefer to upgrade your capa installation to take advantage of our enhanced rules.</p>
<h5>Substring Features</h5>
<p>To make many rules easier to read, we’ve added a convenience feature named <span class="code">substring</span> that acts like a literal string match with implied leading and trailing wildcards. This makes it easier to match file path components, such as <span class="code">/.ssh/id_rsa</span>. Previously, users had to wrap a substring with forward slashes and escape special characters with backslashes, leading to nearly incomprehensible character sequences. Now, a substring feature clearly describes a literal string found as part of a longer string. Figure 3 shows how much easier it is to read a substring feature.</p>
<p><img src="/content/dam/fireeye-www/blog/images/capa-v3-elf/fig3.png" alt=""><br>
<span class="type-XS">Figure 3: Old- and new-style ways of describing a substring</span></p>
<p>Figure 4 shows a capa rule using a substring feature to describe a persistence location on Linux.</p>
<p><img src="/content/dam/fireeye-www/blog/images/capa-v3-elf/fig4.png" alt=""><br>
<span class="type-XS">Figure 4: capa rule using the substring feature to identify persistence on Linux systems</span></p>
<h4>Conclusion</h4>
<p>The newest improvements add ELF file analysis support to capa and make its rules even more expressive. We thank the community and notably Intezer for their continued support. We love the collaboration and are excited for future opportunities. The v3 capa release also includes bug fixes, improvements to the IDAPython plugin <a href="https://github.com/fireeye/capa/tree/master/capa/ida/plugin">capa explorer</a>, and more than 50 new rules. See the <a href="https://github.com/fireeye/capa/blob/master/CHANGELOG.md">capa changelog</a> for all update details.</p>
<p>The new capa release is available on the <a href="https://github.com/fireeye/capa/releases">release page</a> and on <a href="https://pypi.org/project/flare-capa/">PyPI</a>. capa’s <a href="https://github.com/fireeye/capa">code</a> and <a href="https://github.com/fireeye/capa-rules">rules</a> are available on GitHub. If you have any questions or feedback, please open an issue or discussion in the respective repository.</p>
</div>
<div class="clear-all"></div></div>
</div>
<div class="par prevnextbutton">
<div class="prevnext">
<div class="button">
<a id="leftBtnId" class="btn btn-B2282D" href="#"><span>Previous</span> <span>Post</span></a>
</div>
<div class="button">
<a id="rightBtnId" class="btn btn-B2282D" href="#"><span>Next</span> <span>Post</span></a>
</div>
</div>
<input type="hidden" value="/content/fireeye-www/en_US/blog/threat-research" id="categoryPathVal" name="categoryPath" />
<script>
    $(document).ready(function(){

         var prevenextHtml = $('.prevnext').html();	
         var categoryPathVal = $("#categoryPathVal").val();
            var blogsDetails;
        
            if(undefined == blogsDetails){
                    blogsDetails = [];
            }
        
        
            if(undefined != prevenextHtml){
                if(blogsDetails.length <= 0){
                     $.ajax({
                        type: "GET",
                        url: "/bin/www-blogs/read-blogentries",
                        dataType: "json",
                        data: { categoryPath: categoryPathVal} ,
                        async: false,
                        success : function(data) {
                            var totalFoundRes = data.blogs.length;
                            blogsDetails = data.blogs;
                            var currentPagePath = window.location.pathname;
                            currentPagePath = currentPagePath.split(".")[0]
                            console.log("currentPagePath :: "+currentPagePath);
        
                            for (var i = 0; i < blogsDetails.length; i++) {
                                var currentItrPath = blogsDetails[i].path;
        
                                if (currentItrPath.indexOf(currentPagePath) > -1) {
                                    console.log(blogsDetails[i-1]);
                                    console.log(blogsDetails[i+1]);

                                    if(undefined != blogsDetails[i-1] ){
										var prevPagePath = blogsDetails[i-1].path;
                                        $("#leftBtnId").attr("href",prevPagePath+".html");
                                        $("#leftBtnId").show();
                                    }else{
										$("#leftBtnId").hide();
                                    }
                                    if(undefined != blogsDetails[i+1] ){
										var nextPagePath = blogsDetails[i+1].path;  
                                    	$("#rightBtnId").attr("href",nextPagePath+".html");
                                        $("#rightBtnId").show();
                                    }else{
										$("#rightBtnId").hide();
                                    }
                                }
                            }
        
                        },
                        error : function(response){
                            console.log("Error: while connecting to servlet.");
                        }
                    });
                 }else{
                     alert("Blogs from global object :: "+blogsDetails);
                 }
            }else{
                alert("prevenextHtml :: "+prevenextHtml);
            }
    });
</script></div>
</div></div>
</div>
</div>
<div id="sidebar" class="g-u-7-24 l_g-u-1 blog-sidebar">
<div class="g-content">
<div class="sidebar reuse-blog-resources">
<div class="blog-resources">
<div class="grid-33-left parsys"><div class="rightrail section">
<div class="blog-right-rail">
<div class="bottom-bar"><div class="tab">
<span class="ficon ficon-star"></span>
<p>Promotion</p></div><div class="tab">
<span class="ficon ficon-checkbox-checked"></span>
<p>Subscribe</p></div>
<div class="tab">
<span class="ficon ficon-share"></span>
<p>Share</p></div>
<div class="tab">
<span class="ficon ficon-history2"></span>
<p>Recent</p></div>
<div class="tab">
<span class="ficon ficon-feed"></span>
<p>RSS</p></div>
</div><div class="section cta">
<div id="cq-image-jsp-/content/fireeye-www/site-content/en_US/blog-right-threat-research/jcr:content/grid-33-left/rightrail/image"><a href="/mandiant/advantage.html"><img src="/content/dam/fireeye-www/blog/images/blog-vision-edition7.gif" alt="blog-vision-edition7" title="blog-vision-edition7" class="cq-dd-image"></a></div></div><div class="section email">
<script src="https://www2.fireeye.com/js/forms2/js/forms2.min.js"></script>
<div id="mktoWrapper_3353" class="a08 bg-f2f2f2"><div class="c00 c00v0"><h3>Subscribe to Blogs</h3><p>Get email updates as new blog posts are added.</p></div><form id="mktoForm_3353"></form> <script type="text/javascript">
		if(typeof digitalData=="undefined"){digitalData={}}
        //alert(https://www2.fireeye.com+":"+848-DID-242)
        //alert("false");
		MktoForms2.loadForm("https://www2.fireeye.com", "848-DID-242", 3353,
		function(form) {
			
            if(typeof fdc.blog.initCheckboxes === "function") {
                fdc.blog.initCheckboxes(form);
            } 
			digitalData.form = {id: form.getId(),name: document.title,url: window.location.href};
			//if(typeof marketoFormViewTealiumEvent !== "undefined" && typeof utag!=="undefined"){marketoFormViewTealiumEvent(form);}
			if(typeof marketoFormViewGtmEvent !== "undefined") {
				marketoFormViewGtmEvent(form);
			}
			form.onSubmit(function(values){
                //Check if GA fields are present
                if(($("input[name='GACLIENTID__c']").length>0)&&($("input[name='GAUSERID__c']").length>0)&&($("input[name='GATRACKID__c']").length>0)&&(typeof ga!=="undefined"))
                {
                      ga(function(){ 
                          //Get tracking ID and Client ID
                           var tracker = ga.getAll()[0];
                           var trackingId = tracker.get('trackingId');
                           var clientId = tracker.get('clientId');
                           var userId = tracker.get('userId');
                           $("input[name='GACLIENTID__c'").val(clientId);
                           $("input[name='GATRACKID__c'").val(trackingId);
                           $("input[name='GAUSERID__c'").val(userId);
                       });
                 }
            
        	});
			form.onSuccess(function(values, followUpUrl) {
				//if(typeof marketoFormSubmitTealiumEvent !== "undefined"){marketoFormSubmitTealiumEvent(values);}
				if(typeof marketoFormSubmitGTMEvent !== "undefined") {
					marketoFormSubmitGTMEvent(values);
				}
				
				if(typeof fdc.blog.replaceFormWithThankYou === "function") {
					var result = fdc.blog.replaceFormWithThankYou(form,values,followUpUrl);
					if (result === false) {
						return false;
					}
				} 
				return true;
			});
			
			var adrC = typeof addMissingUTMsFromCookies !== "undefined" ? addMissingUTMsFromCookies(document.URL) : document.URL;
			form.addHiddenFields({ ADR__c: adrC,ADR_Credit__c_account: document.title,ADR_Credit__c: document.referrer });
			if(($("input[name='GACLIENTID__c']").length==0)&&($("input[name='GAUSERID__c']").length==0)&&($("input[name='GATRACKID__c']").length==0)){
				form.addHiddenFields({ GACLIENTID__c:"",GAUSERID__c:"",GATRACKID__c:""});				
			}
			
		});
	</script>
</div></div>
<div class="section share">
<h6><small>Share</small></h6>

<div class="addthis_inline_share_toolbox_7uq8"></div>
</div>
<div class="section recent">
<h6>Recent Posts</h6>

<div class="c05 c05v0"><ul>
<li class="c05_item"><p class="c05_date">15 Sep 2021</p><a class="c05_link" href="/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html" title="ELFant in the Room – capa v3">ELFant in the Room – capa v3</a></li>

<li class="c05_item"><p class="c05_date">12 Aug 2021</p><a class="c05_link" href="/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html" title="Announcing the Eighth Annual Flare-On Challenge">Announcing the Eighth Annual Flare-On Challenge</a></li>

<li class="c05_item"><p class="c05_date">19 Jul 2021</p><a class="c05_link" href="/blog/threat-research/2021/07/capa-2-better-stronger-faster.html" title="capa 2.0: Better, Faster, Stronger">capa 2.0: Better, Faster, Stronger</a></li>
</ul></div>
</div>
<a href="/content/fireeye-www/en_US/blog/threat-research/_jcr_content.feed" target="_blank">
<div class="section rss">
<h6><small>RSS Feed: </small><small>Stay Connected</small></h6>
<span class="ficon ficon-feed"></span>
</div>
</a>
</div>
</div>
</div>
</div></div>
</div>
</div>
</div>
</div>
</main>

<div class="footer_f635 footer">

<footer id="g03-footer" class="l_footer g03 g03v0 g03v2 g03-5col">
<div class="main-footer-wrapper">

<div class="g03_list g03_list_1">
<div class="parsys"><div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>About</strong></p></div>
<div class="footer-list section">
<ul class="g03_block"><li class="g03_item"><a href="/company.html" class="Footer">Why FireEye?</a></li>
<li class="g03_item"><a href="/customers.html" class="Footer">Customer Stories</a></li>
<li class="g03_item"><a href="/company/jobs.html" class="Footer">Careers</a></li>
<li class="g03_item"><a href="/company/compliance-certification.html" class="Footer">Certifications and Compliance</a></li>
<li class="g03_item"><a href="/company/supplier.html" class="Footer">Supplier Documents</a></li>
<li class="g03_item"><a href="/current-threats.html" class="Footer">Resources</a></li>
</ul></div>
</div>
</div>
<div class="g03_list g03_list_2">
<div class="parsys"><div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>News and Events</strong></p></div>
<div class="footer-list section">
<ul class="g03_block"><li class="g03_item"><a href="/company/newsroom.html" class="Footer">Newsroom</a></li>
<li class="g03_item"><a href="/company/press-releases.html" class="Footer">Press Releases</a></li>
<li class="g03_item"><a href="/company/webinars.html" class="Footer">Webinars</a></li>
<li class="g03_item"><a href="/company/events.html" class="Footer">Events</a></li>
<li class="g03_item"><a href="/company/awards.html" class="Footer">Awards and Honors</a></li>
<li class="g03_item"><a href="/company/contact-us/manage-your-communication-preference.html" class="Footer">Email Preferences</a></li>
</ul></div>
</div>
</div>
<div class="g03_list g03_list_3">
<div class="parsys"><div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>Technical Support</strong></p></div>
<div class="footer-list section">
<ul class="g03_block"><li class="g03_item"><a href="/support.html" class="Footer">Support</a></li>
<li class="g03_item"><a href="/company/security.html" class="Footer">Report Security Issue</a></li>
<li class="g03_item"><a href="/support/contacts.html" class="Footer">Contact Support</a></li>
<li class="g03_item"><a href="https://csportal.fireeye.com/" target="_blank" class="Footer">Customer Portal</a></li>
<li class="g03_item"><a href="https://community.fireeye.com/" target="_blank" class="Footer">Communities</a></li>
<li class="g03_item"><a href="https://docs.fireeye.com" target="_blank" class="Footer">Documentation Portal</a></li>
</ul></div>
</div>
</div>
<div class="g03_list g03_list_4">
<div class="parsys"><div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>FireEye Blogs</strong></p></div>
<div class="footer-list section">
<ul class="g03_block"><li class="g03_item"><a href="/blog/threat-research.html" class="Footer">Threat Research</a></li>
<li class="g03_item"><a href="/blog/products-and-services.html" class="Footer">FireEye Stories</a></li>
<li class="g03_item"><a href="/blog/executive-perspective.html" class="Footer">Industry Perspectives</a></li>
</ul></div>
<div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>Threat Map</strong></p></div>
<div class="footer-list section">
<ul class="g03_block"><li class="g03_item"><a href="/cyber-map/threat-map.html" class="Footer">View the Latest Threats</a></li>
</ul></div>
</div>
</div>
<div class="g03_list g03_list_5">
<div class="parsys"><div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>Contact Us</strong><br>
<div class="footer-list section">
<ul class="g03_block">
<li class="g03_item"><a href="tel:+1 877-347-3393" class="contactlinks">+1 877-347-3393</a><br>&nbsp;</li>
</ul>
</div></div>
<div class="htmlpassthru section">
<p style="margin-bottom:6px"><strong>Stay Connected</strong></p></div>
<div class="followus-footer section"><h4 class="g03_title" id="g03-followus-title"> </h4><ul class="g03_block g03-s" id="g03-followus-list"><li class="g03_item g03_item-s">
<a href="https://www.linkedin.com/company/fireeye" target="_blank">
<span class="g03-s-i ficon g03-s-i-li ficon-linkedin"></span>
<span class="g03-s_label">LinkedIn</span>
</a>
</li><li class="g03_item g03_item-s">
<a href="https://twitter.com/fireeye" target="_blank">
<span class="g03-s-i ficon g03-s-i-tw ficon-twitter2"></span>
<span class="g03-s_label">Twitter</span>
</a>
</li><li class="g03_item g03_item-s">
<a href="https://www.facebook.com/FireEye" target="_blank">
<span class="g03-s-i ficon g03-s-i-fb ficon-facebook2"></span>
<span class="g03-s_label">Facebook</span>
</a>
</li><li class="g03_item g03_item-s">
<a href="https://www.youtube.com/user/FireEyeInc" target="_blank">
<span class="g03-s-i ficon g03-s-i-yt ficon-youtube2"></span>
<span class="g03-s_label">YouTube</span>
</a>
</li></ul>
</div>
<div class="htmlpassthru section">
<div class="country-notification">
<div id="c08_modal-lang" class="c08_modal lang">
<div class="c08 c08v1">
<div class="c08_header">
<a href="#dismiss-lightbox" class="ficon ficon-close c08_dismiss" data-behavior="dismiss-c08"></a>
</div>
<div class="c08_content">
<div class="c08_body">
<div class="col FR">
<p class="type-ML">Cette page est également disponible en français.</p>
<div class="button section"><a class="btn" href="/index.html">Version française</a></div>
</div>
<div class="col DE">
<p class="type-ML">Diese Seite ist auch auf Deutsch verfügbar</p>
<div class="button section"><a class="btn" href="/index.html">Zur deutschen Seite wechseln</a></div>
</div>
<div class="col JP">
<p class="type-ML">日本語ページを</p>
<div class="button section"><a class="btn" href="/index.html">見る</a></div>
</div>
<div class="col KR">
<p class="type-ML">해당 페이지는 한글 버전으로 보실 수 있습니다</p>
<div class="button section"><a class="btn" href="/index.html">바로 가기</a></div>
</div>
<hr>
<div class="col">
<p><a class="dismiss" href="#dismiss-lightbox" data-behavior="dismiss-c08">Continue viewing this page in English</a></p>
</div>
 </div>
</div>
</div>
</div>
<style>
.c08_modal.lang {
    background: rgba(255,255,255,0.8);
}
.c08_modal.lang .c08_header {
    background: transparent;
    border-left: none;
}
.c08_modal.lang .c08 {
    top: 20%;
    width: 600px;
    border-radius: 12px;
    box-shadow: rgba(0, 0, 0, 0.37) 0 0 15px;
    border: 1px solid #b4b5b8;
    background-image: url("/content/dam/fireeye-www/fw/images/bg-language-select.jpg");
    background-position: right bottom;
    margin: 0 auto;
    position: relative;
    max-width: 90%;
}
.c08_modal.lang .c08_dismiss {
    color: #222;
}
.c08_modal.lang .c08_body {
    padding: 12px 50px 60px;
}
.c08_modal.lang .col {
    display: none;
}
.c08_modal.lang .col:last-child {
    display: block;
}
.c08_modal.lang .btn {
    margin-bottom: 0;
}
.c08_modal.lang hr {
    margin: 30px 80px;
}
.c08_modal.lang hr:before {
    border-bottom: none;
}
</style>
</div></div>
</div>
</div></div>
<div class="legal-footer-wrapper">
<div class="legal-footer">
<div class="g03_copyright">
<p class="g03_copyright_p">
Copyright&nbsp;&copy;&nbsp;2021&nbsp;FireEye.&nbsp;All rights reserved.&nbsp;<span class="g03-legal"><a href="/company/privacy.html">Privacy &amp; Cookies Policy</a> | <a href="/company/legal.html">Legal Documentation</a></span>
</p>
</div><div class="g03_languages">
<a class="g01_options-option" href="#footer-worldwide">
<span>Site Language</span>
<span>English<span class="ficon ficon-globe"></span></span>
</a>
<div class="option-menu" id="footer-worldwide">
<p><strong>My preferred language:</strong></p>
<ul class="g01_options_list"><li><a href="https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html" target="_blank">English (English)</a></li>
<li><a href="https://www.fireeye.fr" target="_blank">French (Français)</a></li>
<li><a href="https://www.fireeye.de" target="_blank">German (Deutsch)</a></li>
<li><a href="https://www.fireeye.jp" target="_blank">Japanese (日本語)</a></li>
<li><a href="https://www.fireeye.kr" target="_blank">Korean (한국어)</a></li>
<li><a href="/products/international-literature.html">More languages</a></li>
</ul>
</div>
</div> </div>
</div>
</footer>
</div>
<script type="text/javascript" src="/etc/designs/fireeye-www/clientlibs_fw.min.js"></script>


<div class="htmlpassthru_c66c htmlpassthru">

<script>
function changeSlide(a) {
    if(isNaN(a)){console.log("updating i");i=2;a=2;}
	$('#uc-he01_carousel').removeClass('uc-he01_s-1 uc-he01_s-2 uc-he01_s-3 uc-he01_s-4 uc-he01_s-5');
	$('.uc-he01_sc_s, .uc-he01_c_btn').removeClass('is-active');
	$('#uc-he01_sc_s-'+(a)+', [data-target="'+(a)+'"]').addClass('is-active animate');
	window.setTimeout(function() {$('.uc-he01_sc_s, .uc-he01_c_btn').not('#uc-he01_sc_s-'+(a)).removeClass('animate');}, 1000);
	$('#uc-he01_carousel').addClass('uc-he01_s-'+(a));
}
</script></div>

<script type="text/javascript" src="//s7.addthis.com/js/300/addthis_widget.js#pubid=fewebadmin"></script>
</body>
</html>
